56 #define CONNECTION_EDGE_PRIVATE
81 #include "feature/client/circpathbias.h"
113 #include "core/or/or_circuit_st.h"
119 #ifdef HAVE_LINUX_TYPES_H
120 #include <linux/types.h>
122 #ifdef HAVE_LINUX_NETFILTER_IPV4_H
123 #include <linux/netfilter_ipv4.h>
124 #define TRANS_NETFILTER
125 #define TRANS_NETFILTER_IPV4
128 #ifdef HAVE_LINUX_IF_H
129 #include <linux/if.h>
132 #ifdef HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
133 #include <linux/netfilter_ipv6/ip6_tables.h>
134 #if defined(IP6T_SO_ORIGINAL_DST)
135 #define TRANS_NETFILTER
136 #define TRANS_NETFILTER_IPV6
143 #ifdef HAVE_SYS_IOCTL_H
144 #include <sys/ioctl.h>
146 #ifdef HAVE_SYS_PARAM_H
147 #include <sys/param.h>
150 #if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
152 #include <net/pfvar.h>
156 #ifdef IP_TRANSPARENT
160 #define SOCKS4_GRANTED 90
161 #define SOCKS4_REJECT 91
179 c->
magic == ENTRY_CONNECTION_MAGIC);
251 int line,
const char *file))
281 "stream (marked at %s:%d) sending two socks replies?",
288 RESOLVED_TYPE_ERROR_TRANSIENT,
304 if (connection_get_inbuf_len(
TO_CONN(conn)) &&
309 log_info(
LD_EDGE,
"conn (fd "TOR_SOCKET_T_FORMAT
") reached eof. Closing.",
320 connection_mark_for_close(
TO_CONN(conn));
340 switch (conn->base_.
state) {
359 if (! conn->base_.
linked) {
367 connection_mark_for_close(
TO_CONN(conn));
374 "data from edge while in '%s' state. Sending it anyway. "
375 "package_partial=%d, buflen=%ld",
378 (
long)connection_get_inbuf_len(
TO_CONN(conn)));
381 connection_mark_for_close(
TO_CONN(conn));
395 "data from edge while in '%s' state. Leaving it on buffer.",
399 log_warn(
LD_BUG,
"Got unexpected state %d. Closing.",conn->base_.
state);
402 connection_mark_for_close(
TO_CONN(conn));
413 log_info(
LD_EDGE,
"CircID %u: At an edge. Marking connection for close.",
417 connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_DESTROY);
420 END_STREAM_REASON_DESTROY);
427 connection_mark_and_flush(
TO_CONN(conn));
448 reason = END_STREAM_REASON_MISC;
451 payload[0] = (char) reason;
457 return relay_send_command_from_edge(stream_id, circ, RELAY_COMMAND_END,
458 payload, 1, cpath_layer);
472 (reason == END_STREAM_REASON_CONNECTREFUSED ||
473 reason == END_STREAM_REASON_TIMEOUT)) {
474 #define WARN_FAILED_HS_CONNECTION 300
475 static ratelim_t warn_limit = RATELIM_INIT(WARN_FAILED_HS_CONNECTION);
478 log_warn(
LD_EDGE,
"Onion service connection to %s failed (%s)",
512 size_t payload_len=1;
514 uint8_t control_reason = reason;
517 log_warn(
LD_BUG,
"(Harmless.) Calling connection_edge_end (reason %d) "
518 "on an already ended stream?", reason);
525 "called on conn that's already marked for close at %s:%d.",
535 reason = END_STREAM_REASON_MISC;
538 payload[0] = (char)reason;
539 if (reason == END_STREAM_REASON_EXITPOLICY &&
550 payload_len += 4+addrlen;
554 log_debug(
LD_EDGE,
"Sending end on conn (fd "TOR_SOCKET_T_FORMAT
").",
563 payload, payload_len);
566 warn_if_hs_unreachable(conn, control_reason);
568 log_debug(
LD_EDGE,
"No circ to send end on conn "
569 "(fd "TOR_SOCKET_T_FORMAT
").",
619 log_warn(
LD_BUG,
"Duplicate stream close for stream %d on circuit %d",
779 int found, remove_idx;
790 half = smartlist_get(half_conns, remove_idx);
792 half_edge_free(half);
829 switch (conn->base_.
state) {
831 if (! conn->base_.
linked) {
858 switch (conn->base_.
state) {
873 log_warn(
LD_BUG,
"Called in unexpected state %d.",conn->base_.
state);
883 #define MAX_CONNECTED_CELL_PAYLOAD_LEN 25
897 int connected_payload_len;
902 if (family == AF_INET) {
904 connected_payload_len = 4;
905 }
else if (family == AF_INET6) {
909 connected_payload_len = 21;
915 connected_payload_len += 4;
919 return connected_payload_len;
933 const char dst_ipv6[] =
"::1";
935 const char src_ipv6_prefix[] =
"fc00:dead:beef:4dad:";
936 uint16_t dst_port = 0;
937 uint16_t src_port = 1;
943 src_port = gid & 0x0000ffff;
947 if (edge_conn->hs_ident) {
954 gid >> 16, gid & 0x0000ffff,
955 dst_ipv6, src_port, dst_port);
957 connection_buf_add(buf, strlen(buf),
TO_CONN(edge_conn));
975 log_info(LD_EXIT,
"%s established.",
983 if (connection_get_outbuf_len(conn))
989 RELAY_COMMAND_CONNECTED, NULL, 0) < 0)
993 int connected_payload_len =
996 if (connected_payload_len < 0)
1000 RELAY_COMMAND_CONNECTED,
1001 (
char*)connected_payload, connected_payload_len) < 0)
1017 static int untried_pending_connections = 0;
1031 log_warn(
LD_BUG,
"(Harmless.) Edge connection (marked at %s:%d) "
1032 "hasn't sent end yet?",
1052 log_warn(
LD_BUG,
"Closing stream (marked at %s:%d) without sending"
1053 " back a socks reply.",
1057 log_warn(
LD_BUG,
"Closing stream (marked at %s:%d) without having"
1062 log_warn(
LD_BUG,
"Closing stream (marked at %s:%d) without having"
1063 " replied to DNS request.",
1076 connection_ap_warn_and_unmark_if_pending_circ(entry_conn,
1138 time_t now = time(NULL);
1142 int seconds_idle, seconds_since_born;
1146 if (base_conn->type !=
CONN_TYPE_AP || base_conn->marked_for_close)
1153 seconds_idle = (int)( now - base_conn->timestamp_last_read_allowed );
1154 seconds_since_born = (int)( now - base_conn->timestamp_created );
1166 "Tried for %d seconds to get a connection to %s:%d. "
1172 connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TIMEOUT);
1181 if (seconds_idle < cutoff)
1185 log_info(
LD_APP,
"Conn is waiting (address %s), but lost its circ.",
1187 connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TIMEOUT);
1193 "Rend stream is %d seconds late. Giving up on address"
1202 connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TIMEOUT);
1213 log_warn(
LD_BUG,
"circuit->purpose == CIRCUIT_PURPOSE_C_GENERAL failed. "
1214 "The purpose on the circuit was %s; it was in state %s, "
1223 "We tried for %d seconds to connect to '%s' using exit %s."
1224 " Retrying on a new circuit.",
1245 END_STREAM_REASON_TIMEOUT)<0) {
1246 if (!base_conn->marked_for_close)
1247 connection_mark_unattached_ap(entry_conn,
1250 } SMARTLIST_FOREACH_END(base_conn);
1267 if (conn->marked_for_close ||
1275 log_warn(
LD_BUG,
"Found a connection %p that was supposed to be "
1276 "in pending_entry_connections, but wasn't. No worries; "
1279 untried_pending_connections = 1;
1280 connection_ap_mark_as_pending_circuit(entry_conn);
1283 } SMARTLIST_FOREACH_END(conn);
1288 #ifdef DEBUGGING_17659
1289 #define UNMARK() do { \
1290 entry_conn->marked_pending_circ_line = 0; \
1291 entry_conn->marked_pending_circ_file = 0; \
1294 #define UNMARK() do { } while (0)
1311 if (untried_pending_connections == 0 && !retry)
1328 if (conn->
magic != ENTRY_CONNECTION_MAGIC) {
1329 log_warn(
LD_BUG,
"%p has impossible magic value %u.",
1330 entry_conn, (
unsigned)conn->
magic);
1335 log_warn(
LD_BUG,
"%p is no longer in circuit_wait. Its current state "
1336 "is %s. Why is it on pending_entry_connections?",
1346 connection_mark_unattached_ap(entry_conn,
1365 } SMARTLIST_FOREACH_END(entry_conn);
1367 smartlist_free(pending);
1368 untried_pending_connections = 0;
1388 const char *fname,
int lineno)
1401 attach_pending_entry_connections_cb, NULL);
1405 log_warn(
LD_BUG,
"What?? pending_entry_connections already contains %p! "
1406 "(Called from %s:%d.)",
1407 entry_conn, fname, lineno);
1408 #ifdef DEBUGGING_17659
1409 const char *f2 = entry_conn->marked_pending_circ_file;
1410 log_warn(
LD_BUG,
"(Previously called from %s:%d.)\n",
1412 entry_conn->marked_pending_circ_line);
1418 #ifdef DEBUGGING_17659
1419 entry_conn->marked_pending_circ_line = (uint16_t) lineno;
1420 entry_conn->marked_pending_circ_file = fname;
1423 untried_pending_connections = 1;
1461 log_warn(
LD_BUG,
"What was %p doing in pending_entry_connections in %s?",
1480 if (conn->marked_for_close ||
1502 log_info(
LD_APP,
"Closing one-hop stream to '%s/%s' because the OR conn "
1505 connection_mark_unattached_ap(entry_conn, END_STREAM_REASON_TIMEOUT);
1506 } SMARTLIST_FOREACH_END(conn);
1521 if (conn->marked_for_close ||
1530 NNF_NO_WARN_UNNAMED);
1532 if (!r1 || !r2 || r1 != r2)
1536 log_info(
LD_APP,
"Giving up on enclave exit '%s' for destination %s.",
1554 } SMARTLIST_FOREACH_END(conn);
1562 CONNECTION_AP_EXPECT_NONPENDING(conn);
1580 ENTRY_TO_CONN(conn)->timestamp_last_read_allowed = time(NULL);
1596 connection_ap_mark_as_pending_circuit(conn);
1614 log_warn(
LD_APP,
"Application request to port %d: this port is "
1615 "commonly used for unencrypted protocols. Please make sure "
1616 "you don't send anything you would mind the rest of the "
1617 "Internet reading!%s", port, reject ?
" Closing." :
"");
1619 port, reject ?
"REJECT" :
"WARN");
1623 log_info(
LD_APP,
"Port %d listed in RejectPlaintextPorts. Closing.", port);
1624 connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
1662 s = strrchr(address,
'.');
1664 *type_out = NORMAL_HOSTNAME;
1667 if (!strcmp(s+1,
"exit")) {
1669 *type_out = EXIT_HOSTNAME;
1672 if (strcmp(s+1,
"onion")) {
1673 *type_out = NORMAL_HOSTNAME;
1680 q = strrchr(address,
'.');
1682 *type_out = BAD_HOSTNAME;
1685 q = (NULL == q) ? address : q + 1;
1688 *type_out = BAD_HOSTNAME;
1692 memmove(address, q, strlen(q) + 1 );
1696 *type_out = ONION_V2_HOSTNAME;
1705 *type_out = ONION_V3_HOSTNAME;
1713 *type_out = BAD_HOSTNAME;
1721 const bool is_onion = (*type_out == ONION_V2_HOSTNAME) ||
1722 (*type_out == ONION_V3_HOSTNAME);
1723 log_warn(
LD_APP,
"Invalid %shostname %s; rejecting",
1724 is_onion ?
"onion " :
"",
1725 safe_str_client(address));
1726 if (*type_out == ONION_V3_HOSTNAME) {
1727 *type_out = BAD_HOSTNAME;
1735 #define TRACKHOSTEXITS_RETRIES 5
1763 rewrite_result_t *out)
1772 out->map_expires = TIME_MAX;
1773 out->end_reason = 0;
1774 out->should_close = 0;
1775 out->orig_address[0] = 0;
1780 strlcpy(out->orig_address, socks->
address,
sizeof(out->orig_address));
1781 log_debug(
LD_APP,
"Client asked for %s:%d",
1782 safe_str_client(socks->
address),
1789 static ratelim_t exit_warning_limit = RATELIM_INIT(60*15);
1791 "The \".exit\" notation is disabled in Tor due to "
1795 out->end_reason = END_STREAM_REASON_TORPROTOCOL;
1796 out->should_close = 1;
1815 const unsigned rewrite_flags = AMR_FLAG_USE_MAPADDRESS;
1817 rewrite_flags, &out->map_expires, &out->exit_source)) {
1837 const char *new_addr;
1840 int addr_type = RESOLVED_TYPE_IPV4;
1842 if (!conn->entry_cfg.ipv4_traffic ||
1843 (conn->entry_cfg.ipv6_traffic && conn->entry_cfg.prefer_ipv6) ||
1845 addr_type = RESOLVED_TYPE_IPV6;
1852 addr_type, tor_strdup(socks->
address));
1854 log_warn(
LD_APP,
"Unable to automap address %s",
1856 out->end_reason = END_STREAM_REASON_INTERNAL;
1857 out->should_close = 1;
1860 log_info(
LD_APP,
"Automapping %s to %s",
1862 safe_str_client(new_addr));
1871 unsigned rewrite_flags = 0;
1873 rewrite_flags |= AMR_FLAG_USE_IPV4_DNS;
1874 if (conn->entry_cfg.use_cached_ipv6_answers)
1875 rewrite_flags |= AMR_FLAG_USE_IPV6_DNS;
1878 rewrite_flags, &out->map_expires)) {
1879 char *result = tor_strdup(socks->
address);
1884 strlen(result), (uint8_t*)result,
1888 out->end_reason = END_STREAM_REASON_DONE |
1890 out->should_close = 1;
1902 &addr, socks->
address, AF_UNSPEC, 1);
1903 if (ok == 1 && tor_addr_is_internal(&addr, 0)) {
1905 0, NULL, -1, TIME_MAX);
1908 out->should_close = 1;
1923 unsigned rewrite_flags = AMR_FLAG_USE_AUTOMAP | AMR_FLAG_USE_TRACKEXIT;
1926 rewrite_flags |= AMR_FLAG_USE_IPV4_DNS;
1927 if (conn->entry_cfg.use_cached_ipv6_answers)
1928 rewrite_flags |= AMR_FLAG_USE_IPV6_DNS;
1930 rewrite_flags, &out->map_expires, &exit_source2)) {
1937 out->exit_source = exit_source2;
1950 log_warn(
LD_APP,
"Missing mapping for virtual address '%s'. Refusing.",
1951 safe_str_client(socks->
address));
1952 out->end_reason = END_STREAM_REASON_INTERNAL;
1953 out->should_close = 1;
1970 if (!conn->entry_cfg.onion_traffic) {
1971 log_warn(
LD_APP,
"Onion address %s requested from a port with .onion "
1972 "disabled", safe_str_client(socks->
address));
1973 connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
1979 if (SOCKS_COMMAND_IS_RESOLVE(socks->
command)) {
1983 "Resolve requests to hidden services not allowed. Failing.");
1985 0,NULL,-1,TIME_MAX);
1986 connection_mark_unattached_ap(conn,
1995 log_warn(
LD_CONTROL,
"Attachstream to a circuit is not "
1996 "supported for .onion addresses currently. Failing.");
1997 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
2003 const char *onion_address = NULL;
2004 int rend_cache_lookup_result = -ENOENT;
2005 int descriptor_is_usable = 0;
2007 if (addresstype == ONION_V2_HOSTNAME) {
2014 const uint8_t *cookie = NULL;
2017 log_info(
LD_REND,
"Using previously configured client authorization "
2018 "for hidden service request.");
2019 auth_type = client_auth->auth_type;
2020 cookie = client_auth->descriptor_cookie;
2028 if (rend_data == NULL) {
2032 log_info(
LD_REND,
"Got a hidden service request for ID '%s'",
2033 safe_str_client(onion_address));
2037 if (!rend_cache_lookup_result && entry) {
2041 tor_assert(addresstype == ONION_V3_HOSTNAME);
2051 log_warn(
LD_GENERAL,
"failed to parse hs address");
2057 onion_address = socks->
address;
2062 rend_cache_lookup_result = 0;
2063 descriptor_is_usable =
2066 log_info(
LD_GENERAL,
"Found %s descriptor in cache for %s. %s.",
2067 (descriptor_is_usable) ?
"usable" :
"unusable",
2068 safe_str_client(onion_address),
2069 (descriptor_is_usable) ?
"Not fetching." :
"Refetching.");
2071 rend_cache_lookup_result = -ENOENT;
2077 unsigned int refetch_desc = 0;
2078 if (rend_cache_lookup_result < 0) {
2079 switch (-rend_cache_lookup_result) {
2082 log_warn(
LD_BUG,
"Invalid service name '%s'",
2083 safe_str_client(onion_address));
2084 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
2088 log_info(
LD_REND,
"No descriptor found in our cache for %s. Fetching.",
2089 safe_str_client(onion_address));
2093 log_warn(
LD_BUG,
"Unknown cache lookup error %d",
2094 rend_cache_lookup_result);
2107 if (refetch_desc || !descriptor_is_usable) {
2111 if (addresstype == ONION_V2_HOSTNAME) {
2117 tor_assert(addresstype == ONION_V3_HOSTNAME);
2142 log_info(
LD_REND,
"Descriptor is here. Great.");
2147 connection_ap_mark_as_pending_circuit(conn);
2174 time_t now = time(NULL);
2175 rewrite_result_t rr;
2180 memset(&rr, 0,
sizeof(rr));
2181 connection_ap_handshake_rewrite(conn,&rr);
2183 if (rr.should_close) {
2187 connection_mark_unattached_ap(conn, rr.end_reason);
2194 const time_t map_expires = rr.map_expires;
2195 const int automap = rr.automap;
2204 if (addresstype == BAD_HOSTNAME) {
2207 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
2217 if (addresstype == EXIT_HOSTNAME) {
2222 const node_t *node = NULL;
2230 log_warn(
LD_APP,
"Stale automapped address for '%s.exit'. Refusing.",
2231 safe_str_client(socks->
address));
2234 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
2244 log_warn(
LD_BUG,
"Address '%s.exit', with impossible source for the "
2245 ".exit part. Refusing.",
2246 safe_str_client(socks->
address));
2249 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
2260 char *s = strrchr(socks->
address,
'.');
2275 log_warn(
LD_APP,
"Malformed exit address '%s.exit'. Refusing.",
2276 safe_str_client(socks->
address));
2279 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
2297 "Unrecognized relay in exit address '%s.exit'. Refusing.",
2298 safe_str_client(socks->
address));
2299 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
2305 "Excluded relay in exit address '%s.exit'. Refusing.",
2306 safe_str_client(socks->
address));
2307 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
2316 if (addresstype != ONION_V2_HOSTNAME && addresstype != ONION_V3_HOSTNAME) {
2327 "Destination '%s' seems to be an invalid hostname. Failing.",
2328 safe_str_client(socks->
address));
2329 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
2344 if (!conn->entry_cfg.dns_request && !conn->entry_cfg.ipv4_traffic
2345 && !conn->entry_cfg.ipv6_traffic) {
2346 log_warn(
LD_APP,
"Refusing to connect to non-hidden-service hostname "
2347 "or IP address %s because Port has OnionTrafficOnly set (or "
2348 "NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic).",
2349 safe_str_client(socks->
address));
2350 connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
2359 if (socks_family == -1) {
2360 if (!conn->entry_cfg.dns_request) {
2361 log_warn(
LD_APP,
"Refusing to connect to hostname %s "
2362 "because Port has NoDNSRequest set.",
2363 safe_str_client(socks->
address));
2364 connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
2367 }
else if (socks_family == AF_INET) {
2368 if (!conn->entry_cfg.ipv4_traffic) {
2369 log_warn(
LD_APP,
"Refusing to connect to IPv4 address %s because "
2370 "Port has NoIPv4Traffic set.",
2371 safe_str_client(socks->
address));
2372 connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
2375 }
else if (socks_family == AF_INET6) {
2376 if (!conn->entry_cfg.ipv6_traffic) {
2377 log_warn(
LD_APP,
"Refusing to connect to IPv6 address %s because "
2378 "Port has NoIPv6Traffic set.",
2379 safe_str_client(socks->
address));
2380 connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
2384 tor_assert_nonfatal_unreached_once();
2395 strlcpy(socks->
address, rr.orig_address,
sizeof(socks->
address));
2398 connection_mark_unattached_ap(conn,
2399 END_STREAM_REASON_DONE |
2410 if (socks->
port == 0) {
2411 log_notice(
LD_APP,
"Application asked to connect to port 0. Refusing.");
2412 connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
2426 tor_addr_is_internal(&addr, 0))) {
2431 #define WARN_INTRVL_LOOP 300
2432 static ratelim_t loop_warn_limit = RATELIM_INIT(WARN_INTRVL_LOOP);
2436 "Rejecting request for anonymous connection to private "
2437 "address %s on a TransPort or NATDPort. Possible loop "
2438 "in your NAT rules?%s", safe_str_client(socks->
address),
2443 #define WARN_INTRVL_PRIV 300
2444 static ratelim_t priv_warn_limit = RATELIM_INIT(WARN_INTRVL_PRIV);
2448 "Rejecting SOCKS request for anonymous connection to "
2449 "private address %s.%s",
2450 safe_str_client(socks->
address),m);
2470 if ((family == AF_INET && ! conn->entry_cfg.ipv4_traffic) ||
2471 (family == AF_INET6 && ! conn->entry_cfg.ipv6_traffic)) {
2474 log_warn(
LD_NET,
"Rejecting SOCKS request for an IP address "
2475 "family that this listener does not support.");
2476 connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
2478 }
else if (family == AF_INET6 && socks->
socks_version == 4) {
2481 log_warn(
LD_NET,
"Rejecting SOCKS4 request for an IPv6 address.");
2482 connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
2485 !conn->entry_cfg.ipv4_traffic) {
2489 log_warn(
LD_NET,
"Rejecting SOCKS4 request on a listener with "
2490 "no IPv4 traffic supported.");
2491 connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
2493 }
else if (family == AF_INET6) {
2496 conn->entry_cfg.ipv4_traffic = 0;
2497 }
else if (family == AF_INET) {
2500 conn->entry_cfg.ipv6_traffic = 0;
2507 conn->entry_cfg.ipv6_traffic = 0;
2521 "Redirecting address %s to exit at enclave router %s",
2565 connection_ap_mark_as_pending_circuit(conn);
2582 tor_assert(addresstype == ONION_V2_HOSTNAME ||
2583 addresstype == ONION_V3_HOSTNAME);
2592 static int pf_socket = -1;
2601 #if defined(OpenBSD)
2610 log_warn(
LD_NET,
"open(\"/dev/pf\") failed: %s", strerror(errno));
2619 #if defined(TRANS_NETFILTER) || defined(TRANS_PF) || \
2620 defined(TRANS_TPROXY)
2626 struct sockaddr_storage orig_dst;
2627 socklen_t orig_dst_len =
sizeof(orig_dst);
2632 if (getsockname(
ENTRY_TO_CONN(conn)->s, (
struct sockaddr*)&orig_dst,
2633 &orig_dst_len) < 0) {
2635 log_warn(
LD_NET,
"getsockname() failed: %s", tor_socket_strerror(e));
2642 #ifdef TRANS_NETFILTER
2645 #ifdef TRANS_NETFILTER_IPV4
2647 rv = getsockopt(
ENTRY_TO_CONN(conn)->s, SOL_IP, SO_ORIGINAL_DST,
2648 (
struct sockaddr*)&orig_dst, &orig_dst_len);
2651 #ifdef TRANS_NETFILTER_IPV6
2653 rv = getsockopt(
ENTRY_TO_CONN(conn)->s, SOL_IPV6, IP6T_SO_ORIGINAL_DST,
2654 (
struct sockaddr*)&orig_dst, &orig_dst_len);
2658 log_warn(
LD_BUG,
"Received transparent data from an unsupported "
2665 log_warn(
LD_NET,
"getsockopt() failed: %s", tor_socket_strerror(e));
2669 #elif defined(TRANS_PF)
2670 if (getsockname(
ENTRY_TO_CONN(conn)->s, (
struct sockaddr*)&orig_dst,
2671 &orig_dst_len) < 0) {
2673 log_warn(
LD_NET,
"getsockname() failed: %s", tor_socket_strerror(e));
2680 log_warn(
LD_BUG,
"Unable to determine destination from socket.");
2696 struct sockaddr_storage proxy_addr;
2697 socklen_t proxy_addr_len =
sizeof(proxy_addr);
2698 struct sockaddr *proxy_sa = (
struct sockaddr*) &proxy_addr;
2699 struct pfioc_natlook pnl;
2703 if (getsockname(
ENTRY_TO_CONN(conn)->s, (
struct sockaddr*)&proxy_addr,
2704 &proxy_addr_len) < 0) {
2706 log_warn(
LD_NET,
"getsockname() to determine transocks destination "
2707 "failed: %s", tor_socket_strerror(e));
2712 if (
get_options()->TransProxyType_parsed == TPT_IPFW) {
2726 memset(&pnl, 0,
sizeof(pnl));
2727 pnl.proto = IPPROTO_TCP;
2728 pnl.direction = PF_OUT;
2729 if (proxy_sa->sa_family == AF_INET) {
2730 struct sockaddr_in *sin = (
struct sockaddr_in *)proxy_sa;
2734 pnl.daddr.v4.s_addr = sin->sin_addr.s_addr;
2735 pnl.dport = sin->sin_port;
2736 }
else if (proxy_sa->sa_family == AF_INET6) {
2743 memcpy(&pnl.saddr.v6, dest_in6,
sizeof(
struct in6_addr));
2745 memcpy(&pnl.daddr.v6, &sin6->sin6_addr,
sizeof(
struct in6_addr));
2746 pnl.dport = sin6->sin6_port;
2748 log_warn(
LD_NET,
"getsockname() gave an unexpected address family (%d)",
2749 (
int)proxy_sa->sa_family);
2753 pf = get_pf_socket();
2757 if (ioctl(pf, DIOCNATLOOK, &pnl) < 0) {
2758 log_warn(
LD_NET,
"ioctl(DIOCNATLOOK) failed: %s", strerror(errno));
2762 if (pnl.af == AF_INET) {
2764 }
else if (pnl.af == AF_INET6) {
2772 req->
port = ntohs(pnl.rdport);
2789 #ifdef TRANS_NETFILTER
2790 return destination_from_socket(conn, req);
2791 #elif defined(TRANS_PF)
2795 return destination_from_socket(conn, req);
2799 return destination_from_pf(conn, req);
2803 log_warn(
LD_BUG,
"Proxy destination determination mechanism %s unknown.",
2809 log_warn(
LD_BUG,
"Called connection_ap_get_original_destination, but no "
2810 "transparent proxy method was configured.");
2840 log_debug(
LD_APP,
"entered.");
2847 connection_buf_add((
const char*)socks->
reply, socks->
replylen,
2850 if (sockshere == -1) {
2857 if (sockshere == 0) {
2858 log_debug(
LD_APP,
"socks handshake not all here yet.");
2860 }
else if (sockshere == -1) {
2862 log_warn(
LD_APP,
"Fetching socks handshake failed. Closing.");
2866 connection_mark_unattached_ap(conn,
2872 if (SOCKS_COMMAND_IS_CONNECT(socks->
command))
2901 log_debug(
LD_APP,
"entered.");
2904 log_warn(
LD_APP,
"Fetching original destination failed. Closing.");
2905 connection_mark_unattached_ap(conn,
2930 char tmp_buf[36], *tbuf, *daddr;
2940 log_debug(
LD_APP,
"entered.");
2948 log_warn(
LD_APP,
"NATD handshake failed (DEST too long). Closing");
2954 log_warn(
LD_APP,
"NATD handshake was ill-formed; closing. The client "
2961 daddr = tbuf = &tmp_buf[0] + 6;
2962 if (!(tbuf = strchr(tbuf,
' '))) {
2963 log_warn(
LD_APP,
"NATD handshake was ill-formed; closing. The client "
2974 socks->
port = (uint16_t)
2977 log_warn(
LD_APP,
"NATD handshake failed; port %s is ill-formed or out "
2993 static const char HTTP_CONNECT_IS_NOT_AN_HTTP_PROXY_MSG[] =
2994 "HTTP/1.0 405 Method Not Allowed\r\n"
2995 "Content-Type: text/html; charset=iso-8859-1\r\n\r\n"
2998 "<title>This is an HTTP CONNECT tunnel, not a full HTTP Proxy</title>\n"
3001 "<h1>This is an HTTP CONNECT tunnel, not an HTTP proxy.</h1>\n"
3003 "It appears you have configured your web browser to use this Tor port as\n"
3006 "This is not correct: This port is configured as a CONNECT tunnel, not\n"
3007 "an HTTP proxy. Please configure your client accordingly. You can also\n"
3008 "use HTTPS; then the client should automatically use HTTP CONNECT."
3011 "See <a href=\"https://www.torproject.org/documentation.html\">"
3012 "https://www.torproject.org/documentation.html</a> for more "
3030 char *headers = NULL, *body = NULL;
3031 char *
command = NULL, *addrport = NULL;
3035 const char *errmsg = NULL;
3038 const int http_status =
3040 &body, &bodylen, 1024, 0);
3041 if (http_status < 0) {
3043 errmsg =
"HTTP/1.0 400 Bad Request\r\n\r\n";
3045 }
else if (http_status == 0) {
3051 if (cmd_status < 0) {
3052 errmsg =
"HTTP/1.0 400 Bad Request\r\n\r\n";
3057 if (strcasecmp(
command,
"connect")) {
3058 errmsg = HTTP_CONNECT_IS_NOT_AN_HTTP_PROXY_MSG;
3066 errmsg =
"HTTP/1.0 400 Bad Request\r\n\r\n";
3069 if (strlen(addr) >= MAX_SOCKS_ADDR_LEN) {
3070 errmsg =
"HTTP/1.0 414 Request-URI Too Long\r\n\r\n";
3077 char *authorization =
http_get_header(headers,
"Proxy-Authorization: ");
3078 if (authorization) {
3082 char *isolation =
http_get_header(headers,
"X-Tor-Stream-Isolation: ");
3103 if (BUG(errmsg == NULL))
3104 errmsg =
"HTTP/1.0 400 Bad Request\r\n\r\n";
3105 log_info(
LD_EDGE,
"HTTP tunnel error: saying %s",
escaped(errmsg));
3106 connection_buf_add(errmsg, strlen(errmsg),
ENTRY_TO_CONN(conn));
3110 connection_mark_unattached_ap(conn,
3131 uint32_t attempts=0;
3135 if (++attempts > 1<<16) {
3137 log_warn(
LD_APP,
"No unused stream IDs. Failing.");
3140 if (test_stream_id == 0)
3143 if (tmpconn->
stream_id == test_stream_id)
3150 return test_stream_id;
3178 const node_t *exitnode = NULL;
3191 if (ap_conn->entry_cfg.ipv4_traffic && !ap_conn->entry_cfg.ipv6_traffic)
3194 if (! cpath_layer ||
3198 if (!ap_conn->entry_cfg.ipv4_traffic)
3203 if (ap_conn->entry_cfg.ipv6_traffic && exitnode) {
3218 if (ap_conn->entry_cfg.prefer_ipv6)
3223 log_warn(
LD_EDGE,
"I'm about to ask a node for a connection that I "
3224 "am telling it to fulfil with neither IPv4 nor IPv6. That's "
3225 "not going to work. Did you perhaps ask for an IPv6 address "
3226 "on an IPv4Only port, or vice versa?");
3259 connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
3274 payload_len = (int)strlen(payload)+1;
3275 if (payload_len <= RELAY_PAYLOAD_SIZE - 4 && edge_conn->begincell_flags) {
3276 set_uint32(payload + payload_len, htonl(edge_conn->begincell_flags));
3281 "Sending relay cell %d on circ %u to begin stream %d.",
3287 RELAY_COMMAND_BEGIN_DIR : RELAY_COMMAND_BEGIN;
3290 if (begin_type == RELAY_COMMAND_BEGIN) {
3294 assert_circ_anonymity_ok(circ, options);
3295 }
else if (begin_type == RELAY_COMMAND_BEGIN_DIR) {
3299 if (BUG(!base_conn->
linked)) {
3305 if (!linked_dir_conn_base) {
3313 TO_DIR_CONN(linked_dir_conn_base)->router_purpose,
3314 TO_DIR_CONN(linked_dir_conn_base)->requested_resource)) {
3315 assert_circ_anonymity_ok(circ, options);
3320 tor_assert_unreached();
3324 begin_type == RELAY_COMMAND_BEGIN ? payload : NULL,
3325 begin_type == RELAY_COMMAND_BEGIN ? payload_len : 0) < 0)
3331 log_info(
LD_APP,
"Address/port sent, ap socket "TOR_SOCKET_T_FORMAT
3333 base_conn->
s, (
unsigned)circ->base_.
n_circ_id);
3337 if ((connection_get_inbuf_len(base_conn) ||
3338 ap_conn->sending_optimistic_data) &&
3340 log_info(
LD_APP,
"Sending up to %ld + %ld bytes of queued-up data",
3341 (
long)connection_get_inbuf_len(base_conn),
3342 ap_conn->sending_optimistic_data ?
3343 (
long)
buf_datalen(ap_conn->sending_optimistic_data) : 0);
3345 connection_mark_for_close(base_conn);
3361 const char *string_addr;
3381 connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
3390 payload_len = (int)strlen(string_addr)+1;
3401 log_warn(
LD_APP,
"Rejecting ill-formed reverse lookup of %s",
3402 safe_str_client(a));
3403 connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
3409 log_warn(
LD_BUG,
"Couldn't generate reverse lookup hostname of %s",
3410 safe_str_client(a));
3411 connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
3415 string_addr = inaddr_buf;
3416 payload_len = (int)strlen(inaddr_buf)+1;
3417 tor_assert(payload_len <= (
int)
sizeof(inaddr_buf));
3421 "Sending relay cell to begin stream %d.", edge_conn->
stream_id);
3424 RELAY_COMMAND_RESOLVE,
3425 string_addr, payload_len) < 0)
3433 log_info(
LD_APP,
"Address sent for resolve, ap socket "TOR_SOCKET_T_FORMAT
3435 base_conn->
s, (
unsigned)circ->base_.
n_circ_id);
3449 char *address, uint16_t port,
3451 int session_group,
int isolation_flags,
3452 int use_begindir,
int want_onehop)
3457 log_info(
LD_APP,
"Making internal %s tunnel to %s:%d ...",
3458 want_onehop ?
"direct" :
"anonymized",
3459 safe_str_client(address), port);
3490 base_conn->
address = tor_strdup(
"(Tor_internal)");
3492 base_conn->
port = 0;
3496 if (connection_add(base_conn) < 0) {
3497 connection_free(base_conn);
3506 connection_ap_mark_as_pending_circuit(conn);
3507 log_info(
LD_APP,
"... application connection created and linked.");
3522 expires = time(NULL) + ttl;
3523 if (answer_type == RESOLVED_TYPE_IPV4 && answer_len >= 4) {
3527 cp, expires, NULL, 0);
3529 }
else if (answer_type == RESOLVED_TYPE_HOSTNAME && answer_len < 256) {
3530 char *cp = tor_strndup(answer, answer_len);
3532 cp, expires, NULL, 0);
3536 "<error>", time(NULL)+ttl,
3562 log_warn(
LD_BUG,
"Got called with address of unexpected family %d",
3565 RESOLVED_TYPE_ERROR,0,NULL,-1,-1);
3582 const uint8_t *answer,
3590 if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4) {
3598 }
else if (answer_type == RESOLVED_TYPE_IPV6 && answer_len == 16) {
3606 }
else if (answer_type == RESOLVED_TYPE_HOSTNAME && answer_len < 256) {
3607 char *cp = tor_strndup((
char*)answer, answer_len);
3627 (
char*)answer, ttl, expires);
3636 if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4) {
3637 buf[1] = SOCKS4_GRANTED;
3639 memcpy(buf+4, answer, 4);
3642 buf[1] = SOCKS4_REJECT;
3643 memset(buf+2, 0, 6);
3649 if (answer_type == RESOLVED_TYPE_IPV4 && answer_len == 4) {
3650 buf[1] = SOCKS5_SUCCEEDED;
3653 memcpy(buf+4, answer, 4);
3656 }
else if (answer_type == RESOLVED_TYPE_IPV6 && answer_len == 16) {
3657 buf[1] = SOCKS5_SUCCEEDED;
3660 memcpy(buf+4, answer, 16);
3663 }
else if (answer_type == RESOLVED_TYPE_HOSTNAME && answer_len < 256) {
3664 buf[1] = SOCKS5_SUCCEEDED;
3667 buf[4] = (char)answer_len;
3668 memcpy(buf+5, answer, answer_len);
3670 replylen = 5+answer_len+2;
3672 buf[1] = SOCKS5_HOST_UNREACHABLE;
3673 memset(buf+2, 0, 8);
3681 (answer_type == RESOLVED_TYPE_IPV4 ||
3682 answer_type == RESOLVED_TYPE_IPV6 ||
3683 answer_type == RESOLVED_TYPE_HOSTNAME) ?
3684 0 : END_STREAM_REASON_RESOLVEFAILED);
3698 size_t replylen,
int endreason)
3714 STREAM_EVENT_SUCCEEDED : STREAM_EVENT_FAILED,
3720 if (status == SOCKS5_SUCCEEDED ||
3721 endreason == END_STREAM_REASON_RESOLVEFAILED ||
3722 endreason == END_STREAM_REASON_CONNECTREFUSED ||
3723 endreason == END_STREAM_REASON_CONNRESET ||
3724 endreason == END_STREAM_REASON_NOROUTE ||
3725 endreason == END_STREAM_REASON_RESOURCELIMIT) {
3728 if (endreason != END_STREAM_REASON_RESOLVEFAILED) {
3730 "No origin circuit for successful SOCKS stream %"PRIu64
3752 log_warn(
LD_BUG,
"(Harmless.) duplicate calls to "
3753 "connection_ap_handshake_socks_reply.");
3765 response =
"HTTP/1.0 400 Bad Request\r\n\r\n";
3767 connection_buf_add(response, strlen(response),
ENTRY_TO_CONN(conn));
3770 buf[1] = (status==SOCKS5_SUCCEEDED ? SOCKS4_GRANTED : SOCKS4_REJECT);
3775 memset(buf,0,
sizeof(buf));
3778 buf[1] = (char)status;
3785 buf[1] = (char)status;
3809 uint8_t *end_reason_out)
3812 const uint8_t *body, *nul;
3814 memset(bcell, 0,
sizeof(*bcell));
3815 *end_reason_out = END_STREAM_REASON_MISC;
3824 if (rh.
command == RELAY_COMMAND_BEGIN_DIR) {
3825 bcell->is_begindir = 1;
3827 }
else if (rh.
command != RELAY_COMMAND_BEGIN) {
3828 log_warn(
LD_BUG,
"Got an unexpected command %d", (
int)rh.
command);
3829 *end_reason_out = END_STREAM_REASON_INTERNAL;
3834 nul = memchr(body, 0, rh.
length);
3837 "Relay begin cell has no \\0. Closing.");
3838 *end_reason_out = END_STREAM_REASON_TORPROTOCOL;
3844 &bcell->address,&bcell->port)<0) {
3846 "Unable to parse addr:port in relay begin cell. Closing.");
3847 *end_reason_out = END_STREAM_REASON_TORPROTOCOL;
3850 if (bcell->port == 0) {
3852 "Missing port in relay begin cell. Closing.");
3854 *end_reason_out = END_STREAM_REASON_TORPROTOCOL;
3857 if (body + rh.
length >= nul + 4)
3877 log_debug(
LD_REND,
"Connecting the hidden service rendezvous circuit "
3878 "to the service destination.");
3881 conn->base_.
address = tor_strdup(
"(rendezvous)");
3890 }
else if (origin_circ->
hs_ident) {
3902 log_info(
LD_REND,
"Didn't find rendezvous service at %s",
3911 END_STREAM_REASON_DONE,
3943 if (conn->hs_ident) {
3946 export_hs_client_circuit_id(conn, circuit_id_protocol);
3980 char *address = NULL;
3988 uint8_t end_reason=0;
4001 return -END_CIRC_REASON_TORPROTOCOL;
4006 "Relay begin cell at non-server. Closing.");
4008 END_STREAM_REASON_EXITPOLICY, NULL);
4014 return -END_CIRC_REASON_TORPROTOCOL;
4015 }
else if (rv == -1) {
4021 if (! bcell.is_begindir) {
4024 address = bcell.address;
4027 if (or_circ && or_circ->
p_chan) {
4037 "Attempt by %s to open a stream %s. Closing.",
4039 client_chan ?
"on first hop of circuit" :
4040 "from unknown relay");
4043 END_STREAM_REASON_TORPROTOCOL :
4044 END_STREAM_REASON_MISC,
4050 }
else if (rh.
command == RELAY_COMMAND_BEGIN_DIR) {
4054 END_STREAM_REASON_NOTDIRECTORY, layer_hint);
4062 if (or_circ && or_circ->
p_chan &&
4066 address = tor_strdup(
"127.0.0.1");
4072 log_warn(
LD_BUG,
"Got an unexpected command %d", (
int)rh.
command);
4074 END_STREAM_REASON_INTERNAL, layer_hint);
4085 END_STREAM_REASON_EXITPOLICY, layer_hint);
4090 log_debug(LD_EXIT,
"Creating new exit connection.");
4100 n_stream->begincell_flags = bcell.flags;
4102 n_stream->base_.
port = port;
4121 n_stream->base_.
address = address;
4128 END_STREAM_REASON_HIBERNATING, NULL);
4135 if (rh.
command == RELAY_COMMAND_BEGIN_DIR) {
4145 log_debug(LD_EXIT,
"about to start the dns_resolve().");
4151 log_debug(LD_EXIT,
"about to call connection_exit_connect().");
4156 END_STREAM_REASON_RESOLVEFAILED, NULL);
4191 dummy_conn->base_.
address = tor_strndup(
4194 dummy_conn->base_.
port = 0;
4222 const char **why_rejected)
4228 *why_rejected =
" (IPv6 address without IPv6Exit configured)";
4247 int socket_error = 0, result;
4248 const char *why_failed_exit_policy = NULL;
4253 edge_conn->base_.
port,
4254 &why_failed_exit_policy)) {
4255 if (BUG(!why_failed_exit_policy))
4256 why_failed_exit_policy =
"";
4257 log_info(LD_EXIT,
"%s failed exit policy%s. Closing.",
4259 why_failed_exit_policy);
4262 connection_free(conn);
4266 #ifdef HAVE_SYS_UN_H
4277 log_debug(LD_EXIT,
"about to try connecting");
4279 addr, port, &socket_error);
4280 #ifdef HAVE_SYS_UN_H
4290 log_debug(LD_EXIT,
"about to try connecting");
4291 result = connection_connect_unix(conn, conn->
address, &socket_error);
4300 connection_free(conn);
4314 if (connection_get_outbuf_len(conn)) {
4325 RELAY_COMMAND_CONNECTED,
4329 int connected_payload_len =
4332 if (connected_payload_len < 0) {
4335 connection_free(conn);
4340 RELAY_COMMAND_CONNECTED,
4341 (
char*)connected_payload,
4342 connected_payload_len);
4359 log_info(LD_EXIT,
"Opening local connection for anonymized directory exit");
4366 dirconn->base_.
port = 0;
4378 if (connection_add(
TO_CONN(exitconn))<0) {
4389 if (connection_add(
TO_CONN(dirconn))<0) {
4392 connection_mark_for_close(
TO_CONN(exitconn));
4401 RELAY_COMMAND_CONNECTED, NULL, 0) < 0) {
4402 connection_mark_for_close(
TO_CONN(exitconn));
4403 connection_mark_for_close(
TO_CONN(dirconn));
4418 tor_assert_nonfatal(!(conn->
rend_data && conn->hs_ident));
4420 if (conn->
rend_data || conn->hs_ident) {
4445 const node_t *chosen_exit =
4466 }
else if (!conn->entry_cfg.ipv4_traffic && conn->entry_cfg.ipv6_traffic) {
4469 }
else if (conn->entry_cfg.ipv4_traffic && !conn->entry_cfg.ipv6_traffic) {
4498 memeq_opt(
const char *a,
size_t alen,
const char *b,
size_t blen)
4502 }
else if (b == NULL) {
4504 }
else if (alen != blen) {
4539 log_warn(
LD_BUG,
"Reached connection_edge_compatible_with_circuit without "
4540 "having set conn->original_dest_address");
4557 circ->socks_username, circ->socks_username_len) ||
4559 circ->socks_password, circ->socks_password_len)))
4592 log_warn(
LD_BUG,
"Reached connection_update_circuit_isolation without "
4593 "having set conn->original_dest_address");
4610 circ->socks_username = sr->
username ?
4612 circ->socks_password = sr->
password ?
4626 circ->socks_username, circ->socks_username_len) ||
4628 circ->socks_password, circ->socks_password_len))
4644 log_warn(
LD_BUG,
"Updating a circuit with seemingly incompatible "
4645 "isolation flags.");
4667 log_warn(
LD_BUG,
"Tried to clear the isolation status of a dirty circuit");
4671 log_warn(
LD_BUG,
"Tried to clear the isolation status of a non-open "
4679 circ->client_proto_type = 0;
4680 circ->client_proto_socksver = 0;
4681 circ->dest_port = 0;
4684 circ->session_group = -1;
4685 circ->nym_epoch = 0;
4686 if (circ->socks_username) {
4687 memwipe(circ->socks_username, 0x11, circ->socks_username_len);
4690 if (circ->socks_password) {
4691 memwipe(circ->socks_password, 0x05, circ->socks_password_len);
4694 circ->socks_username_len = circ->socks_password_len = 0;
4713 connection_mark_for_close(
TO_CONN(conn));
4720 untried_pending_connections = 0;